Cyber Attackers Increasingly Sneaking Corporate Data Out Through DNS

Almost 90 percent of firms have suffered an attack against their domain-name system infrastructure, and nearly half have detected data leaving their network through DNS.

For years, researchers have studied the use of domain-name service (DNS) traffic as a way to hide attackers’ communications. Now, companies are increasingly encountering the tactic, according to a survey released on Dec. 16 by infrastructure-security firm Cloudmark.
About 46 percent of companies detected data leaving their network through DNS communications, the survey of 300 U.S. and UK companies found. The exfiltration of data through DNS was the second most common attack against the infrastructure—a distance second to the 74 percent of companies that suffered a denial-of-service attack against their DNS servers, according to the survey’s respondents.
Despite the frequent attacks against DNS infrastructure, many security professionals are not sold on protecting their domain-name service traffic, Neil Cook, chief technology officer of Cloudmark, told eWEEK.
“Most organizations don’t think about DNS as something that can be used to exfiltrate data,” he said.

Security researchers first suggested using DNS traffic as a covert communications channel in the late 1990s, but the concept only gained widespread acceptance following a presentation by security researcher Dan Kaminsky at the DEFCON hacking conference in 2004.

The technique is simple. Attackers encode data in base 64 and encapsulate the information within DNS requests, which are sent to an attacker-controlled server. The server then decodes the traffic and recovers the data.
Generally, such techniques are considered tunneling if the communications channel can send data in either direction. DNS exfiltration is focused on getting the data outside of a company’s firewall without being detected.
The straightforward technique is difficult to stop because every company needs to allow domain traffic to pass to the Internet. Moreover, because many companies are not looking for such covert communications channels, attackers are likely successful in exfiltrating sensitive corporate data, Cloudmark’s Cook said.
“You could have all the Web content filtering and [advanced protection] in the world, and it won’t make a difference,” Cook said. “If you are not watching your DNS channels, you will not see the data.”
While 55 percent of information-technology executives consider data loss a major concern for their business, many are not sold on the need for security focused on the DNS system.
“Even though upper management [was] worried about the loss of confidential and sensitive data, they could not put two and two together and see the threat,” Cook said.
About 56 percent of respondents in the retail, distribution and transportation industry were targeted with attacks that used DNS to sneak out sensitive data, the survey found.